Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
30-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Overview of Remote Access VPN Policies for ASA and PIX 7.0+ Devices
Public Key Infrastructure—You can create a Public Key Infrastructure (PKI) policy to
generate enrollment requests for CA certificates and RSA keys, and to manage keys and
certificates. Certification Authority (CA) servers are used to manage these certificate requests
and issue certificates to users who connect to your IPsec or SSL remote access VPN. For more
information, see Understanding Public Key Infrastructure Policies, page 25-47 and Configuring
Public Key Infrastructure Policies for Remote Access VPNs, page 25-52.
Policies used in remote access IPsec VPNs only:
Certificate To Connection Profile Maps, Policy and Rules (IKEv1 IPSec only.)—Certificate
to connection profile map policies let you define rules to match a user’s certificate to a
permission group based on specified fields. To establish authentication, you can use any field
of the certificate, or you can have all certificate users share a permission group. You can match
the group from the DN rules, the Organization Unit (OU) field, the IKE identity, or the peer IP
address. You can use any or all of these methods. For more information, see Configuring
Certificate to Connection Profile Map Policies (ASA), page 30-29.
IKE Proposal—Internet Key Exchange (IKE), also called ISAKMP, is the negotiation protocol
that enables two hosts to agree on how to build an IPsec security association. IKE is used to
authenticate IPsec peers, negotiate and distribute IPsec encryption keys, and to automatically
establish IPsec security associations (SAs). Use the IKE Proposal policy to define the
requirements for phase 1 of the IKE negotiation. For more information, see Configuring an IKE
Proposal, page 25-9.
IPsec Proposal (ASA/PIX 7.x)—An IPsec proposal is a collection of one or more crypto maps.
A crypto map combines all the components required to set up IPsec security associations (SAs),
including IPsec rules, transform sets, remote peers, and other parameters that might be
necessary to define an IPsec SA. The policy is used for IKE phase 2 negotiations. For more
information, see Configuring an IPsec Proposal on a Remote Access VPN Server (ASA, PIX
7.0+ Devices), page 30-33.
Policies used in remote access IKEv2 IPSec and SSL VPNs only:
Access—An Access policy specifies the security appliance interfaces on which a remote access
SSL or IKEv2 IPsec VPN connection profile can be enabled, the port to be used for the
connection profile, Datagram Transport Layer Security (DTLS) settings, the SSL VPN session
timeout and maximum number of sessions. You can also specify whether to use the AnyConnect
VPN Client or AnyConnect Essentials Client. For more information, see Understanding SSL
VPN Access Policies (ASA), page 30-36.
Other Settings—The SSL VPN Other Settings policy defines settings that include caching,
content rewriting, character encoding, proxy and proxy bypass definitions, browser plug-ins,
AnyConnect client images and profiles, Kerberos Constrained Delegation, and some other
advanced settings. For more information, see Configuring Other SSL VPN Settings (ASA),
page 30-41.
Shared License—Use the SSL VPN Shared License page to configure your SSL VPN Shared
License. For more information, see Configuring SSL VPN Shared Licenses (ASA 8.2+),
page 30-62.
The following table explains whether a policy is required or optional for a particular type of VPN.
Table 30-1 Remote Access VPN Policy Requirements for ASA Devices
Policy Required, Optional
ASA Cluster Load Balancing Optional for all VPN types.
Connection Profiles Required for all VPN types.